[kwlug-disc] OpenVPN (Was: Re: firewall question)

Cedric Puddy cedric at thinkers.org
Thu Feb 19 00:25:46 EST 2009


Sure, unless you happen to subscribe to the view that most VM  
implementations are terribly insecure... (Why is it that any attempt  
to reach for certainty while in the presence of the concepts  
"computing" and "security" suddenly turns into an Alice in Wonderland  
adventure?)

I have heard it claimed that those in the know can trivially use the  
guest-to-host OS interfaces in VMWare to gain unrestricted access to  
the host systems memory, and can thereby read and write memory from  
anything running on that physical box -- I haven't seen it proven, but  
would love to see that with my own eyes to be sure.

I'm currently writing it off as more tin-foil-hat stuff at the moment,  
but keeping meaning to do some real research, and you know, get one of  
those "informed opinion" things I've heard so much about.

Last year when I was a conference, I ran across a couple of folks who  
where like "Oh, yeah, knocking over VM's is so easy it's like kiddie  
stuff these days <insert jaded hacker i'm so lee7 look here>", but I  
didn't actually get around to pinning anyone to the wall about it (so  
many things going on, so little time).

On the face of it, it stands to good reason that there could be real  
issues -- low level computing can have some pretty delicate bugs  
(witness the rarely sung deep genius that goes into a good compiler),  
and the benefit of finding an exploitable bug in one of those  
interfaces could be very high.  Finding issues at that level isn't for  
the stupid or lazy, but counting on that never works when you've  
talking about a product that's got good commercial mass.

In any event, the "issue" here (or, if you prefer, "tin foil hat  
scenario") is that the attacker could theoretically say "HooHa!  He's  
running in VMware -- lets just subvert the VM, and laugh all the way  
to the botnet!  (and if he resets, then I'll just nail him again!, or  
install a hook in the Host OS kernel to insert my stuff in the guest  
when it boots, or ... etc, etc.)"

	-Cedric

On 18-Feb-09, at 11:24 PM, Bob Jonkman wrote:

> So would it be better to run a VM as an endpoint to the VPN?  Every
> time the connection is established the VM is restarted from the same
> image, locked down by the Corporate IT overlords.  If the VPN can only
> connect to the VM virtual address, then is the corporate network safe
> from insecure remote hosts?
>
> --Bob.
>
>
>
> On 17 Feb 2009 at 23:49 unsolicited <kwlug-disc at kwlug.org> wrote
> about "Re: [kwlug-disc] OpenVPN (Was: Re: [...]"
>
> [...]
>
>> I say VPN = BAD for a couple of reasons:
>> (1) You are trusting clients to be good net citizens. Once connected,
>> they are an extension of your network. Typically internal networks
>> aren't as tightly controlled as, say, your internal/external
>> connections. Anyone who touches the keyboard is a risk. You have no
>> control over whom that will be. At least for internal computers, they
>> had to get past reception.
>
>> (2) Typically, the remote access required is a far smaller subset  
>> than
>> the entire network. And it's much easier to secure those fewer
>> connections. e.g. Remote e-mail can be done via ssl ports. Frequently
>> that's all they really need. Some VNC's don't allow file transfer,  
>> and
>> may be sufficient, assuming a sufficiently small number of clients.
>> Terminal services offer very close to VPN functionality, and have the
>> client operating on your own secured session, not on their own
>> unsecured computer.
>>
>> But, whatever the client wants. And is easy to explain ... click this
>> icon ... voila.
>
>
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org

|  CCj/ClearLine - Unix/NT Administration and TCP/IP Network Services
|  118 Louisa Street, Kitchener, Ontario, N2H 5M3, 519-489-0478
\________________________________________________________
    Cedric Puddy, IS Director            cedric at thinkers.org
      PGP Key Available at:              http://www.thinkers.org/cedric





More information about the kwlug-disc_kwlug.org mailing list